source: server/lib/security-config @ 53c03ca

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3
Last change on this file since 53c03ca was 3e7d77b, checked in by ramon <ramongomez@…>, 9 years ago

#736: Revertir movimiento de fichero de revisión r5011 y modificar instalador y actualizador para copiar el contenido del directorio server/lib al servidor.

git-svn-id: https://opengnsys.es/svn/branches/version1.1@5014 a21b9725-9963-47de-94b9-378ad31fedc9
  • Property mode set to 100755
File size: 2.6 KB
Line 
1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
5#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
6#@version 1.1.0 - Initial version.
7#@author  Ramón M. Gómez, ETSII Univ. Sevilla
8#@date    2016-04-18
9#*/ ##
10
11
12# Variables.
13PROG=$(basename "$0")
14OPENGNSYS=/opt/opengnsys
15# Errors control.
16if [ "$USER" != "root" ]; then
17        echo "$PROG: Need to be root." >&2
18        exit 1
19fi
20
21# UFW configuration.
22if which ufw 2>/dev/null; then
23        # Adding active services.
24        ufw allow "Apache Secure"
25        ufw allow OpenSSH
26        ufw allow Samba
27        ufw allow mysql
28        ufw allow rsync
29        ufw allow tftp
30        ufw allow 67,68/udp             # DHCP
31        ufw allow 2002,2008/tcp         # OpenGnsys services
32        ufw allow 9000:9051/udp         # Multicast
33        ufw allow 6881:6999/udp         # BitTorrent
34        # Applying configuration.
35        ufw enable
36# FirewallD configuration.
37elif which firewall-cmd 2>/dev/null; then
38        # Defining OpenGnsys services.
39        python -c "
40import firewall.core.io.service as ios
41s=ios.Service()
42s.short = 'OpenGnsys Server'
43s.name = 'ogAdmServer'
44s.ports = [('2008', 'tcp')]
45ios.service_writer(s, '/etc/firewalld/services')
46s.short = 'OpenGnsys Repository'
47s.name = 'ogAdmRepo'
48s.ports = [('2002', 'tcp')]
49ios.service_writer(s, '/etc/firewalld/services')"
50        # Adding active services.
51        firewall-cmd --permanent --add-service=dhcp
52        firewall-cmd --permanent --add-service=https
53        firewall-cmd --permanent --add-service=mysql --zone internal
54        firewall-cmd --permanent --add-service=ogAdmRepo
55        firewall-cmd --permanent --add-service=ogAdmServer
56        # Ubuntu 14.04 does not define "rsyncd" service.
57        firewall-cmd --permanent --add-service=rsyncd || \
58                firewall-cmd --permanent --add-port=873/tcp
59        firewall-cmd --permanent --add-service=samba
60        firewall-cmd --permanent --add-service=ssh
61        firewall-cmd --permanent --add-service=tftp
62        # Adding Multicast ports.
63        firewall-cmd --permanent --add-port=9000-9051/udp
64        # Adding BitTorent ports.
65        firewall-cmd --permanent --add-port=6881-6999/udp
66        # Applying configuration.
67        firewall-cmd --reload
68else
69        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
70fi
71
72# SELinux configuration.
73if which setsebool 2>/dev/null; then
74        # Configuring Apache.
75        setsebool -P httpd_can_connect_ldap on
76        semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
77        # Configuring Samba.
78        setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
79        semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
80        semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
81        # Applying configuration.
82        restorecon -R $OPENGNSYS
83else
84        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
85fi
86
Note: See TracBrowser for help on using the repository browser.